You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/04/04 16:24:00 UTC
[jira] [Commented] (METRON-1496) ChainLink Parser to reuse parser
code at parserConfig level
[ https://issues.apache.org/jira/browse/METRON-1496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16425802#comment-16425802 ]
ASF GitHub Bot commented on METRON-1496:
----------------------------------------
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/969
@kevin91nl I think the discussion that you have helped spark here is worthy of a separate email discuss thread.
This is going to take more thought and discussion in the community to land on a good solution. What you've shown here are some great use cases that will help drive that discussion.
I think there are others in the community with slightly different views on how this should be done. Hopefully we can get everyone's minds working together in a discuss thread.
> ChainLink Parser to reuse parser code at parserConfig level
> -----------------------------------------------------------
>
> Key: METRON-1496
> URL: https://issues.apache.org/jira/browse/METRON-1496
> Project: Metron
> Issue Type: Improvement
> Reporter: Bas van de Lustgraaf
> Priority: Minor
>
> During the development of some custom parsers we wrote a couple of classes / functions to make it possible to reuse code and assemble parser quicker at java coding level.
> We took this idea one step further and created the so called ChainLinkParser.
> This parser gives user without any java knowledge the opportunity to assemble parsers at parser configuration level.
> We would like to discuss the code and see if it can be submitted to the project. We will create a PR during this week to submit the code for review and discussion.
> Below you'll find an example of our Parser configuration for Suricata, which is using our ChainParser.
>
> {noformat}
> {
> "parserClassName":"nl.qsight.chainparser.ChainParser",
> "sensorTopic":"suricata",
> "readMetadata":true,
> "mergeMetadata":true,
> "numWorkers":3,
> "numAckers":3,
> "spoutParallelism":6,
> "spoutNumTasks":6,
> "parserParallelism":20,
> "parserNumTasks":20,
> "errorWriterParallelism":1,
> "errorWriterNumTasks":1,
> "spoutConfig":{
> "spout.firstPollOffsetStrategy":"LATEST"
> },
> "stormConfig":{
> "topology.max.spout.pending":2000
> },
> "parserConfig":{
> "chain":[
> "parse_json",
> "parse_username",
> "rename_fields",
> "parse_datetime"
> ],
> "parsers":{
> "parse_json":{
> "class":"nl.qsight.links.io.JSONDecoderLink"
> },
> "parse_username":{
> "class":"nl.qsight.links.io.RegexLink",
> "pattern":"(?i)(user|username|log)[=:](\\w+)",
> "selector":{
> "username":"2"
> },
> "input":"{{payload_printable}}"
> },
> "rename_fields":{
> "class":"nl.qsight.links.fields.RenameLink",
> "rename":{
> "proto":"protocol",
> "dest_ip":"ip_dst_addr",
> "src_ip":"ip_src_addr",
> "dest_port":"ip_dst_port",
> "src_port":"ip_src_port"
> }
> },
> "parse_datetime":{
> "class":"nl.qsight.links.io.TimestampLink",
> "patterns":[
> [
> "([0-9]{4})-([0-9]+)-([0-9]+)T([0-9]+):([0-9]+):([0-9]+).([0-9]+)([+-]{1}[0-9]{1,2}[:]?[0-9]{2})",
> "yyyy MM dd HH mm ss SSSSSS Z",
> "newest"
> ]
> ],
> "input":"{{timestamp}}"
> }
> }
> }
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)